HIPAA
HIPAA Privacy and Security regulations apply to research involving human subjects and:
1. Impact the use and disclosure of PHI for research 2. Do not replace other federal research regulations; therefore, all existing regulations related to human research remain in effect. 3. Apply whether or not the research is funded by the government.
HIPAA civil penalties include fines from ___ to ____
$100 to $1.5 million
What are some examples of breaching?
1) Accessing PHI without a work-related need to know 2) Sharing PHI with those who do not ned it for work purposes 3) Copying or removing PHI from the appropriate area 4) Having patient-related conversations in public settings 5) Sending a fax containing PHI to the wrong destination 6) Loss or theft of records containing PHI
Often principal investigators are also clinicians. Therefore, additional guidance must be followed:
1) Principal investigators or their designees should not use their clinical access to search patient records for potential research participants. 2) Physicians who are involved in research activities may contact only their own patients while recruiting for research activities.
The only expectations to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:
1) Treatment 2) Purposes for which a patient authorization is signed 3) Disclosures required by law 4) Sharing information to the patient about himself/herself
What are the 8 core standards that govern how UAB/UABHS and its personnel shall operate in order to meet the HIPAA Security Regulations?
1. Information System and Account Management 2. Internet and Email Use 3. Media Reallocation and Disposal 4. Information Systems and Network Access 5. Contingency Planning 6. Risk Analysis and Management of EPHI 7. Security Incident Response 8. Use of Portable Devices for Computing and Data Storage
Safeguards to follow before sending PHI via Fax
1. approved fax cover sheet that includes a confidentiality statement. 2. No PHI on cover sheet 3. Limit PHI 4. Double check fax numbers 5. check confirmation sheets to verify that the transmission was successful and accurate 6. Ensure that confidential information is not left on the fax machine
18 identifiers that are considered PHI
1. name 2. geographic subdivisions smaller than a state 3. all elements of date (except year) 4. telephone numbers 5. fax numbers 6. electronic mail address 7. social security number 8. medical record numbers 9. health plan beneficiary numbers 10. account numbers 11. certificate/license numbers 12. vehicle identifies and serial numbers 13. device identifiers 14. URLs 15. IP addresses 16. biometric identifiers 17. full face images 18. any other unique identifying number
All ages over _____ are indicative of age according to PHI
89
What is required before a covered entity can contract a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity's PHI.
A Business Associate Agreement (BAA)
What is the federal civil penalty for knowingly violating HIPAA Privacy and Security regulations
A fine ranging from $100 up to $1.5 million per violation depending on the harmful intent of the violation.
What does a BAA do?
Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services.
HIPAA Security Rule enforces:
Confidentiality, Integrity, Availability
What should I do if I need to see my personal medical record (electronic or paper record) or my spouse's record?
Contact Health Information Management or the physician's office for copies.
True or False : Only employees of UAB must comply with HIPAA regulations.
False. All employees, students, and volunteers of the covered entities must comply with HIPAA regulations.
True or False- there is no harm in using public websites (Google, MS office) for storing PHI or research data.
False. Do not use public websites (Google, MS office) for storing PHI or research data.
True or False- It is okay to discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs as long as they do not tell.
False. Do not discuss PHI outside of work or with other employees who do not need to know the information to perform their jobs
As a rule, first contact _____ for PHI to be used for IRB-approved research protocols.
Health Information Management
What happens to media (i.e. CDs, disks, or thumb drives) that contain PHI or other sensitive information that is no longer being used?
It must be cleaned or sanitized before reallocating or destroying. Once they are sanitized, place them in specially marked secure containers for destruction.
What happens to physical documents that contain PHI or other sensitive information that is no longer being used?
It must be shredded immediately or placed in securely locked boxes or rooms to await shredding.
What is the fine for criminal penalties for "wrongful disclosure"?
Large fines of $50K to $250K and up to 10 years in prison
After using a clinic application on a shared workstation (nursing station), the user must take which of the following steps?
Logoff the application.
My password or other means of access to UAB/UABHS information systems can be shared with which of the following?
No one
Under what circumstances are you free to repeat to others PHI you hear while performing your UAB/UABHS job responsibilities?
Only when authorized for business purposes (TPO)
What are privacy core standards?
Privacy core standards govern how UAB/UABHS and its workforce shall operate in order to meet the HIPAA Privacy Rule. In particular:1) Use and Disclosure of Dealth Information2) Use and Disclosure of Health Information for Marketing3) Use and Disclosure of Health Information for Fundraising4) Use and Disclosure of Identifiable Health Information for Research5) Patient Health Information Rights
Routine requests and authorizations for PHI should be send through the _______ whenever possible.
Regular mail
Who can you report a suspected breach of HIPAA to?
Report to any of the following: 1. Your administrative supervisor 2. Your HIPAA Entity Privacy Coordinator (EPC) or your HIPAA Entity Security Coordinator (ESC) 3. The appropriate information systems help desk 4. The Privacy Office, the Office of Corporate Compliance, or the Office of University Compliance 5. The Institutional Review Board (IRB) if research data are involved
What are your rights regarding medical and dental information about yourself?
Right to: 1. inspect and copy 2. amend 3. accounting of disclosures 4. request restrictions 5. request that health info pertaining to services paid out of pocket not be send to insurance 6. request confidential communications 7. revoke authorization8. paper copy of this notice
________ also can pursue civil suits against persons who violate HIPAA privacy and security regulations.
State attorney generals
True or False - A HIPAA covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure.
TRUE
True or False - Different departments of UAB may share medical and dental information to coordinate different things a patient needs
TRUE
True or False - If a research study has been approved by the IRB, then a principal investigator can use her clinical access to view medical records (electronic or paper) to identify potential research participants but only from records of those patients for whom she was directly involved in their care.
TRUE
True or False - If you are involved in a lawsuit or a dispute, we may disclose medical and dental information about you in response to a court or administrative order
TRUE
True or False - Individual employees are NOT authorized to sign contracts on behalf of UAB/UABHS
TRUE
True or False - One exception to "Do not email PHI": Emails with PHI can be transmitted in the UAB/UABHS email systems if you and the person to whom you are sending an email both have email addresses ending in either "uab.edu" or "uabmc.edu."
TRUE
True or False - UAB/UABHS has developed HIPAA core standards that govern how the organization and its personnel shall operate to comply with HIPAA regulations
TRUE
True or False - we are required to report child, elder, and domestic abuse or neglect to the state of Alabama
TRUE
True or False - we must notify patients in the case of a breach of their identifiable medical and dental information
TRUE
True or False- BAA must be approved in accordance with appropriate UAB/UABHS policies and procedures
TRUE
True or False- It is never allowed to forward your UAB/UABHS email account to another email system (gmail, AOL, hotmail, etc.)
TRUE
True or False - UAB can use patient's information for research, fundraising activities, marketing, and with business associates
TRUE - even though it seems to go against HIPAA, it states UAB has the right to all of these things in the patient information packet
HIPAA
The Health Insurance Portability and Accountability Act
Which department is responsible for enforcing criminal penalties for noncompliance with the HIPAA Privacy Rule?
U.S. Department of Justice
Who are the owner's of our patients PHI?
UAB/UABHS
PHI can be accessed only for
UAB/UABHS business/work-related purposes
Any one of the 18 identifiers combined with ______ is PHI
a reference to a diagnosis or medical condition
Which of the following is the acceptable guidance for emailing PHI? a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance. b. PHI can always be sent in an attachment to an email c. Email is not an approved means of communication at UAB/UABHS d. None of the above
a. Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance.
Privacy
an individual's right to keep certain information to himself or herself, with the understanding that their protected health information (PHI) will only be used or disclosed with their permission or as permitted by law.
"Sanitize" means to eliminate:
confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.
Principle investigators or designated researchers must provide a ________ to the covered entity holding that data before the data can be released for research.
copy of the fully executed IRB approval form
What steps should be taking before sending PHI via a fax machine? a. ensure you are using your entity's approved fax coversheet b. verify the fax number is correct c. limit the PHI contained in the fact to the minimum necessary, but do not put any PHI on the coversheet d. all of the above
d. all of the above
Which of the following is/are defined as PHI data elements under HIPAA? a. patient's name b. patient's photograph c. vehicle identifiers d. all of the above
d. all of the above
Why is it important to put away papers, such as folders, files, and reports, containing patient and other confidential information when you leave your work area? a. an unauthorized person could take the documents b. people with access to your area may not be authorized to access the information c. information could be mistakenly discarded d. all of the above
d. all of the above
What should I do if I suspect a breach involving protected health information? a. discuss it with my administrative supervisor b. report it to the privacy office, the office of corporate compliance, or the office of university compliance c. report it to my HIPAA ESC or EPC d. any of the above
d. any of the above
What can you do to avoid having unauthorized persons from overhearing your conversation about a patient? a. ask others to leave until you finish your conversation b. Write down the message on a small marker board, taking care to erase it when finished c. Don't talk to others about patients even if for patient care d. go to a more private area; lower your voice
d. go to a more private area; lower your voice
_______ is responsible for the privacy and security of our patient's PHI
everyone
Privileged PHI
information about abuse or neglect, alcohol or drug abuse, sexually transmitted diseases, HIV, or psychiatric treatment,
When HIPAA permits use or disclosure of PHI, a covered entity must use of disclose only the ________ PHI required to accomplish the purpose of the use or disclosure.
minimum necessary
What is a breach?
occurs when "unsecured PHI" is "acquired, accessed, used, or disclosed" in an unauthorized manner that compromises the security or privacy of the information
PHI can be sent via a fax machine if :
other more secure means of communication are not available or practical.
PHI
protected health information - any info that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present, or future physical or mental health condition of an individual or past, present, or future payment for the provision of healthcare to the individual, and that can be used to identify the individual.
Portions of HIPAA most important for us
protecting the privacy and security of health data
Covered entities are permitted to use or disclose PHI for research purposes if...?
the Institutional Review Board (IRB) has approved the research and one or more of the following conditions exists: 1. a signed patient authorization is recorded 2. the research is decedent research 3. the process is preparatory to research 4. The research utilizes a Limited Data Set with a Data Use Agreement 5. The IRB grants a waiver for the required patient/participant signed authorization
Covered entities are permitted to use or disclose PHI for research purposes if
the Institutional Review Board (IRB) has approved the research and one or more of the following conditions exists:1. patient authorization2. decedent research3. preparatory to research4. Limited Data Set with a Data Use Agreement5. waiver
HIPAA states that PHI may be used and disclosed to facilitate
treatment, payment, and healthcare operations(TPO)
In addition, members of the UAB/UABHS work force are subject to what kind of disciplinary action?
up to and including termination of employment for noncompliance with HIPAA privacy and security regulations and standards
At UAB/UABHS, research is a_____ of PHI
use
Types of data protected by HIPAA
written documentation, paper records, medicine labels, ID bracelets, spoken and verbal info including voicemail, electronic databases, photographs, digital images
T/F: All types of protected health information (written, verbal, or spoken, and electronic) are protected by HIPAA.
True
What are examples of wrongful disclosures?
Accessing health information under false pretenses, releasing patient information with harmful intent, selling PHI, etc.
Which Department through the Office for Civil Rights enforces civil monetary penalties for noncompliance with HIPAA
Department of Health and Human Services
Which of the following is the acceptable guidance for emailing PHI?
Do not email PHI unless the transmission is within the UAB/UABHS's email systems. For all other email, contact your information systems representative for assistance.
True or False - Deleting a file removes the data from the media.
FALSE
True or False - It is okay to send. privileged PHI in a fax
FALSE
True or False - You can use your access to look up your own medical information or information on your family, friends, or co-workers.
FALSE
True or False - Formatting constitutes sanitizing the media.
FALSE Formatting does not constitute sanitizing the media.
True or False - HIPAA penalties and fines only apply to covered entities
FALSE - Penalties and fines apply to members of the work force and other individuals, NOT just to the covered entities.
True or False - PHI may always be disclosed to individuals involved in a patient's care or payment for care
FALSE - not if a patient objects
True or False - we are required to agree to patients' requests of their medical and dental information
FALSE - we are not required to agree to patient's request
True or False - All types of protected health information (written, verbal or spoken, and electronic) are protected by HIPAA.
True
If research study has been approved by the IRB, then a principle investigator can use her clinical access to view medical records (electronic or paper) to identify potential research participants but only from records of those patients for who she was directly involved in their care.
True